CapitalPool.approve()
takes the token address as a parameter and grants allowance to TokenManager
. However, within TokenManager
, if the allowance is 0, the operation ICapitalPool(_capitalPoolAddr).approve(address(this));
executes but it uses its own address (TokenManager) instead of the token address.
Below is the incorrect approve call in TokenManager._transfer()
;
If CapitalPool.approve()
has not been called previously (which, according to the comment in that function, is intended to be called only by TokenManager
, but as a separate issue it is permissionless and allows arbitrary calls), _transfer
will always revert.
Foundry
Call CapitalPool.approve()
with the token address correctly;
If we consider the correct permissioned implementation for the `approve()` function within `CapitalPool.sol`, this would be a critical severity issue, because the withdrawal of funds will be permanently blocked and must be rescued by the admin via the `Rescuable.sol` contract, given it will always revert [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L36-L38) when attempting to call a non-existent function selector `approve` within the TokenManager contract. The argument up in the air is since the approval function `approve` was made permisionless, the `if` block within the internal `_transfer()` function will never be invoked if somebody beforehand calls approval for the TokenManager for the required token, so the transfer will infact not revert when a withdrawal is invoked. I will leave open for escalation discussions, but based on my first point, I believe high severity is appropriate.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.